Hackers trade tool tips

MetaSploit toolkit can control PCs over the Internet

Email this to a friend

Characters remaining:

What is A + B?

It may be well over 100 degrees outside, but cool heads at the Black Hat Briefings security conference here are talking about ways to break into systems to test how secure banks, transportation agencies and government systems really are.

And attendees are spilling out into the halls to hear the presentations, including one on a new toolkit for taking over computers via the Internet.

Presenters HD Moore and Spoonm (as he's known at the conference) are part of a crew of four young security analysts who developed a so-called attack and penetration toolkit called MetaSploit. The free toolkit is intended to help attack and "own" or "root" a machine – hacker vernacular for taking complete control of someone's PC without their permission. Of course, security workers can also use MetaSploit to try to bolster their own systems' defences against such tools.

In fact, the presentation "MetaSploit: Hacking Like in the Movies" drew many security consultants and individuals from US government agencies with three-letter acronyms like DoD and NSA.

MetaSploit is as easy as "point, click, root," Spoonm said during the presentation. It may not be as simple as the presenters suggest, but MetaSploit does enable people to use and customise the tool as they see fit. Spoonm said that the tool has been downloaded roughly 20,000 times.

"Yes, our tool can be used for evil, but many other tools can be used for evil," acknowledged Spoonm, a gregarious American student attending an unspecified Canadian university. The group developed MetaSploit partly to help security consultant HD Moore with his job. Moore helps corporate and government organisations improve their security by bringing to light unrecognised vulnerabilities.

A DoD representative in attendence who declined to give his name called MetaSploit "very significant in terms of adaptability and platform versatility," but said it will "ultimately be used for negative purposes."

"MetaSploit isn't being taken seriously enough" by his peers in government security, the DoD employee added.